Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Friday, November 20, 2009

Apple vs. Kaspersky - Functionality Wins

Let me set the backdrop for you like this... I just loaded a new machine with Windows 7 primarily to continue to use some of the "can't replace" Windows apps ... one of them being iTunes for my iPhone. As far as installations goes, everything went great! I installed the OS first, then my stand-by anti-virus Kaspersky (KAV) 2010... then I went and installed iTunes 9. Everything was solid.

Once I got everything else I needed installed I started to re-load my iTunes library from the ginormous external drive I have ... and still, all was good. Last thing I needed to do was re-download all my podcasts.

Now, let me remind you in case you've somehow managed to forget, how much I value functionality over security. I don't. I think the rate at which outrageously unnecessary functionality wins out over common-sense security is appalling. Moving right along with the story ...

I bought a few songs via iTunes, downloaded them successfully and started rocking out while the podcasts were supposed to download. I read some email ... I "twittered", and read some blogs from my Google reader. I then went back to my iTunes only to find that it had failed at downloading every... single ... podcast. Every single one had failed with an error -3458. Googling the error I couldn't find anything coherent, or relevant beyond iTunes 7 ... even some stuff that recommended I check permissions on folders. But since iTunes had just installed itself on a new machine, and everything else was working - even downloading newly purchased music - I was baffled.

This is where my spidey sense kicked in and I thought ... "hrmm, what if Kaspersky is somehow causing this?" What I did next was turned OFF (paused, as KAV calles it) the anti-virus client and tried downloading the podcasts again. The result? You guessed it ... everything started downloading smoothly.

I was absolutely baffled. Why in the world would downloading regular music work fine, while downloading podcasts fail? Totally baffling. Without digging into a packet sniffer (which I had not yet installed on that machine) I emailed my go-to Kaspersky support guy and Kenneth quickly responded (as he always does ... which makes me wonder if he sleeps?). Anyway ... there was no internal knowledgebase hint at Kaspersky but what he suggested was mind-boggling from a "security oriented person".

Kenneth suggested I configure Kaspersky Antivirus to trust iTunes.exe and iTunesHelper.exe ... for no other reason than "it would probably work". Did it? Yea, sadly this solution works.

Now, we had a longer conversation about what's going on behind the scenes, and apparently it has something to do with the way that iTunes (thanks Apple) is ever-expanding what iTunes actually does on your system ... and something dealing with the way that podcasts are downloaded goes beyond what the normal profile for an application allows ... thus podcasts fail to download unless you explicitly trust iTunes binaries on your machine.

OK, so here's my problem. First ... what the hell is Apple doing with iTunes that requires such a "constantly changing software profile" as Kaspersky support put it?! I would really like to figure out what Apple's doing, and why they feel the need to change the program fingerprint "with every update" ... very interesting indeed.

Now, what has this taught me? Once again boys and girls ... functionality has run amuck. The answer, of course, if you want the cool things that programs like iTunes do ... you have to take away the security controls. I don't know about you but explicitly trusting iTunes makes my skin crawl ... I really wish that there were other alternatives for connecting to the iTunes online store.

I'm mad as hell folks ... mad as hell that functionality, over and over, and over ... continues to win over common-sense security controls. I guess as long as cool widgets are built that even people like me can't seem to live without ... this will remain the status quo and there is no incentive to change.

*facepalm*

Have you run into anything like this? Have a feature vs security story to tell? Either leave a comment or catch me on Twitter (@RafalLos) - I want to publish the best one out there!

2 comments:

"functionality, over and over, and over ... continues to win over common-sense security controls."

This sounds like the whole PC/microcomputer revolution in a nutshell. We've traded functionality and convenience for security and 'correctness' over and over again.

When all data was controlled by a small group of professional analysts and programmers, the only data that ever left the mainframe was in the form of carefully prepared, validated, vetted paper reports that took weeks to design & QA. The only way to lose or expose that data was via a paper report. A file cabinet and a shredder were all that was needed to assure the security and confidentiality of the data. Because there was only one report for a given problem or set of data, everyone agreed on the validity of the data, and the conclusions that could be drawn.

Then we put the sacred mainframe on the network and let wide swaths of people directly access the data in an ad-hoc sort of fashion. They joined tables without understanding the data model, they joined,queried and filtered until they got the numbers that they wanted, downloaded the data to their floppies & laptops which they promptly left laying around the coffee shops and airports.

It sounds like I'm stretching a bit, but (to me), if you step way back & look at the whole revolution, good or bad, right or wrong, trading anything and everything for convenience and functionality is what got us where we are today.

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.